Computer Security
[EN] securityvulns.ru no-pyccku


JBoss insecure defaults
updated since 22.02.2007
Published:23.02.2007
Source:
SecurityVulns ID:7280
Type:remote
Threat Level:
5/10
Description:Web console and management instruments are available without authentication.
CVE:CVE-2007-1157 (Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAdaptor in JBoss allows remote attackers to perform privileged actions as administrators via certain MBean operations, a different vulnerability than CVE-2006-3733.)
 CVE-2007-1156 (JBrowser allows remote attackers to bypass authentication and access certain administrative capabilities via a direct request for _admin/.)
 CVE-2007-1036 (The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.)
Original documentdocumentbuben.razuma_(at)_gmail.com, JBoss jmx-console CSRF (23.02.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:23.02.2007
Source:
SecurityVulns ID:7292
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:WORDPRESS : WordPress 2.0
 WORDPRESS : WordPress 2.1
 WEBSPELL : webSPELL 3.01
 CONNECTIX : Connectix Boards 0.7
 DBIMAGEGALLERY : DBImageGallery 1.2
 DBGUESTBOOK : DBGuestBook 1.1
 DZCP : deV!Lz Clanportal 1.4
 ULTIMATEFUNBOARD : Ultimate Fun Book 1.02
 ONLINEWEBBUILDIN : Online Web Building 2.0
 PEANUTKB : Peanut Knowledge Base 0.0
 FLASHGAMESCRIPT : FlashGameScript 1.5
 DESIGN4ONLINE : UserPages2 2.0
CVE:CVE-2007-1255 (Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks.)
 CVE-2007-1254 (SQL injection vulnerability in part.userprofile.php in Connectix Boards 0.7 and earlier allows remote authenticated users to execute arbitrary SQL commands and obtain privileges via the p_skin parameter to index.php.)
 CVE-2007-1167 (inc/filebrowser/browser.php in deV!L`z Clanportal (DZCP) 1.4.5 and earlier allows remote attackers to obtain MySQL data via the inc/mysql.php value of the file parameter.)
 CVE-2007-1165 (Multiple PHP remote file inclusion vulnerabilities in DBGuestbook 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the dbs_base_path parameter to (1) utils.php, (2) guestbook.php, or (3) views.php in includes/.)
 CVE-2007-1164 (Multiple PHP remote file inclusion vulnerabilities in DBImageGallery 1.2.2 allow remote attackers to execute arbitrary PHP code via a URL in the donsimg_base_path parameter to (1) attributes.php, (2) images.php, or (3) scan.php in admin/; or (4) attributes.php, (5) db_utils.php, (6) images.php, (7) utils.php, or (8) values.php in includes/.)
 CVE-2007-1147 (PHP remote file inclusion vulnerability in view.php in hbm allows remote attackers to execute arbitrary PHP code via a URL in the hbmpath parameter.)
 CVE-2007-1146 (PHP remote file inclusion vulnerability in function.php in arabhost allows remote attackers to execute arbitrary PHP code via a URL in the adminfolder parameter.)
 CVE-2007-1078 (PHP remote file inclusion vulnerability in index.php in FlashGameScript 1.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the func parameter.)
 CVE-2007-1077 (SQL injection vulnerability in page.asp in Design4Online UserPages2 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1059 (PHP remote file inclusion vulnerability in function.php in Ultimate Fun Book 1.02 allows remote attackers to execute arbitrary PHP code via a URL in the gbpfad parameter. NOTE: some sources mention "Ultimate Fun Board," but this appears to be an error.)
 CVE-2007-1058 (SQL injection vulnerability in user_pages/page.asp in Online Web Building 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter.)
 CVE-2007-1049 (Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.)
 CVE-2007-1039 (Unspecified vulnerability in Peanut Knowledge Base (PeanutKB) 0.0.3 and earlier has unknown impact and attack vectors.)
Original documentdocumentmalic89_(at)_gmail.com, FlashGameScript v1.5.4 Remote File Inclusion Vulnerability (23.02.2007)
 documentRaeD Hasadya, Hasadya Raed (23.02.2007)
 documentsn0oPy.team_(at)_gmail.com, JBrowser acces to admin/config files (23.02.2007)
 documentr.verton_(at)_gmail.com, WebSpell > 4.0 Authentication Bypass and arbitrary code execution (23.02.2007)
 documentXORON, Online Web Building v2.0 (id) Remote SQL Injection (23.02.2007)
 documentkezzap66345, Ultimate Fun Book 1.02 (function.php) Remote File Include Vulnerability: (23.02.2007)
 documentKiba, DZCP (Devilz Clanportal) <= 1.4.5 Mysql Data viewable (23.02.2007)
 documentDenven, DBGuestbook 1.1 (dbs_base_path) Remote File Include Vulnerabilities (23.02.2007)
 documentDenven, DBImageGallery 1.2.2 (donsimg_base_path) RFI Vulnerabilities: (23.02.2007)
Files:webSPELL <= v4.01.02 (topic) Remote SQL Injection
 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit

Nortel NetDirect client for Linux weak permissions
Published:23.02.2007
Source:
SecurityVulns ID:7293
Type:local
Threat Level:
5/10
Description:Weak permissions on temporary folder during installation.
CVE:CVE-2007-1057 (The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.)
Files:Exploits Nortel SSL VPN Linux Client race condition

Distributed Checksum Clearinghouse unauthorized management
Published:23.02.2007
Source:
SecurityVulns ID:7294
Type:remote
Threat Level:
5/10
Affected:DCC : Distributed Checksum Clearinghouse 1.3
CVE:CVE-2007-1047 (Unspecified vulnerability in Distributed Checksum Clearinghouse (DCC) before 1.3.51 allows remote attackers to delete or add hosts in /var/dcc/maps.)

IBM DB2 database multiple security vulnerabilities
Published:23.02.2007
Source:
SecurityVulns ID:7295
Type:local
Threat Level:
6/10
Description:Multiple privilege escalations, file creation.
Affected:IBM : DB2 8.1
 IBM : DB2 9.1
CVE:CVE-2007-1228 (IBM DB2 UDB 8.2 before Fixpak 7 (aka fixpack 14), and DB2 9 before Fix Pack 2, on UNIX allows the "fenced" user to access certain unauthorized directories.)
 CVE-2007-1089 (IBM DB2 Universal Database (UDB) 9.1 GA through 9.1 FP1 allows local users with table SELECT privileges to perform unauthorized UPDATE and DELETE SQL commands via unknown vectors.)
 CVE-2007-1088 (Stack-based buffer overflow in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 allows local users to execute arbitrary code via a long string in unspecified environment variables.)
 CVE-2007-1087 (IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 does not properly terminate certain input strings, which allows local users to execute arbitrary code via unspecified environment variables that trigger a heap-based buffer overflow.)
 CVE-2007-1086 (Unspecified binaries in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 allow local users to create or modify arbitrary files via unspecified environment variables related to "unsafe file access.")
Original documentdocumentIDEFENSE, iDefense Security Advisory 02.22.07: IBM DB2 Universal Database DB2INSTANCE File Creation Vulnerability (23.02.2007)
 documentIDEFENSE, iDefense Security Advisory 02.22.07: IBM DB2 Universal Database Multiple Privilege Escalation Vulnerabilities (23.02.2007)

Verisign multiple products ActiveX element buffer overflow
Published:23.02.2007
Source:
SecurityVulns ID:7296
Type:client
Threat Level:
6/10
Description:Buffer overflow in ConfigChk element.
CVE:CVE-2007-1083 (Buffer overflow in the Configuration Checker (ConfigChk) ActiveX control in VSCnfChk.dll 2.0.0.2 for Verisign Managed PKI Service, Secure Messaging for Microsoft Exchange, and Go Secure! allows remote attackers to execute arbitrary code via long arguments to the VerCompare method.)
Original documentdocumentIDEFENSE, iDefense Security Advisory 02.22.07: VeriSign ConfigChk ActiveX Control Buffer Overflow Vulnerability (23.02.2007)

Mac OS X ImageIO integer overflow
Published:23.02.2007
Source:
SecurityVulns ID:7299
Type:library
Threat Level:
6/10
Description:Integer overflow on GIF images parsing.
Affected:APPLE : Mac OS X 10.4
CVE:CVE-2007-1071 (Integer overflow in the gifGetBandProc function in ImageIO in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image that triggers the overflow during decompression. NOTE: this is a different issue than CVE-2006-3502 and CVE-2006-3503.)

Mercur Messaging 2005 multiple security vulnerabilities
Published:23.02.2007
Source:
SecurityVulns ID:7300
Type:remote
Threat Level:
5/10
Description:Multiple DoS conditions and buffer overflows.
Affected:MERCUR : MERCUR Messaging 2005
CVE:CVE-2006-7041 (The SMTP service in MERCUR Messaging 2005 before Service Pack 4 allows remote attackers to cause a denial of service (infinite loop) via a message in which neither the originator nor recipient address is known.)
 CVE-2006-7040 (Unspecified vulnerability in MERCUR Messaging 2005 before Service Pack 4 allows remote attackers to cause a denial of service (crash) via a TOP command to the POP3 service.)
 CVE-2006-7039 (The IMAP4 service in MERCUR Messaging 2005 before Service Pack 4 allows remote attackers to cause a denial of service (crash) via a message with a long subject field.)
 CVE-2006-7038 (Multiple buffer overflows in MERCUR Messaging 2005 before Service Pack 4 allow remote attackers to cause a denial of service (crash) via (1) "long command lines at port 32000" and (2) certain name service queries that are not properly handled by the SMTP service.)

Multiple browsers OnUnload event handler different vulnerabilities
updated since 23.02.2007
Published:28.02.2007
Source:
SecurityVulns ID:7297
Type:client
Threat Level:
6/10
Description:Different memory corruptions because of race conditions in OnUnload handler. In addition address bar spoofing and creation of pages can not be left is possible.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MOZILLA : Firefox 1.5
 MOZILLA : Firefox 2.0
 MICROSOFT : Windows Vista
 OPERA : Opera 9.20
CVE:CVE-2007-1256 (Mozilla Firefox 2.0.0.2 allows remote attackers to spoof the address bar, favicons, and document source, and perform updates in the context of arbitrary websites, by repeatedly setting document.location in the onunload attribute when linking to another website, a variant of CVE-2007-1092.)
 CVE-2007-1095 (Mozilla Firefox does not properly implement JavaScript onUnload handlers, which allows remote attackers to run certain JavaScript code and access the location DOM hierarchy in the context of the next web site that is visited by a client.)
 CVE-2007-1094 (Microsoft Internet Explorer 7 allows remote attackers to cause a denial of service (NULL dereference and application crash) via JavaScript onUnload handlers that modify the structure of a document.)
 CVE-2007-1092 (Mozilla Firefox 1.5.0.9 and 2.0.0.1, and SeaMonkey before 1.0.8 allow remote attackers to execute arbitrary code via JavaScript onUnload handlers that modify the structure of a document, wich triggers memory corruption due to the lack of a finalize hook on DOM window objects.)
 CVE-2007-1091 (Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers.)
Original documentdocumentperpetualmotionuk, RE: MSIE7 browser entrapment vulnerability (probably Firefox, too) (28.02.2007)
 documentMOZILLA, Mozilla Foundation Security Advisory 2007-08 (27.02.2007)
 documentSECUNIA, Secunia Research: Internet Explorer 7 "onunload" Event Spoofing Vulnerability (23.02.2007)
 documentMichal Zalewski, Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) (23.02.2007)
 documentMichal Zalewski, MSIE7 browser entrapment vulnerability (probably Firefox, too) (23.02.2007)
 documentMichal Zalewski, Firefox: onUnload tailgating (MSIE7 entrapment bug variant) (23.02.2007)

Mozilla Firefox information leak
updated since 23.02.2007
Published:23.02.2008
Source:
SecurityVulns ID:7298
Type:remote
Threat Level:
4/10
Description:It's possible for script to check if given web page was visited by user.
Affected:MOZILLA : Firefox 1.5
 MOZILLA : Firefox 2.0
CVE:CVE-2007-1116 (The CheckLoadURI function in Mozilla Firefox 1.8 lists the about: URI as a ChromeProtocol and can be loaded via JavaScript, which allows remote attackers to obtain sensitive information by querying the browser's session history.)
Original documentdocumentpdp (architect), Firefox Cache Hack - Firefox History Hack redux (23.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod